Argentinian companies are off to a good start but still have a long way to go to fully protect their customers’ personal data and be transparent about who has access to it. This years' report shows Telefónica-Movistar taking the lead, followed far away by Telecentro, IPLAN, Claro. This was the first year Claro was included in the Argentina report and it presented poor results compared to its evaluation in other countries in which it operates, such as Chile and Brazil. This year, two companies from theprevious report have merged, Fibertel (Cablevisión) and Arnet (Telecom), leading to a concentration of 68% of the fixed broadband market in just one firm.

This year's edition also rates for the first time the three most popular delivery service apps – Glovo, Pedidos Ya,and Rappi – which represent a growing market in the country and similarly deal with sensitive details about peoples’ habits. Rappi is the best ranked among them.

Regarding ISPs, the scores are similar to the first edition with a few notable improvements, such as IPLAN’s release of a privacy policy.

The final results of the report are below. The full study, including details about each company, isavailable in Spanish.

Evaluation Criteria for ¿Quién Defiende tus Datos? Argentina

This year’s report assesses companies’ policies in six areas:

Privacy Policy: A company’s privacy policy should be easy to find and to understand, and should tell users which data is being collected, and for how long the company stores it. The privacy policy should cover consent, information, and data accuracy obligations, data subject’s rights (like right of access to personal data and how it may be exercises), and whether the company’s databases are registered within the data protection authority. The privacy policy should also state when and how the company will inform users of any changes to the policy.

Transparency: Companies should publish periodic transparency reports that are accessible to the public, and detail how many government requests have been received, complied with, and rejected.

Notification: Companies should commit to notifying users of government data demands, and Bonus points if they do the notification a priori.

Judicial Order: Companies should require investigation authorities to obtain a court order before handing over data, and should commit to this standard for metadata requests as well.

Law Enforcement Guidelines: Companies should have publicly available guidelines for law enforcement requests, including detailed information considering the local legal context.

Promotion and Defense of Human Rights: Companies should judicially resist data requests that are excessive and do not comply with legal requirements, and should promote policy, legislative, and other initiatives to foster users’ privacy and data protection.

Main findings

Delivery service apps rate better than ISPs in privacy policies, but don’t show many stars in other criteria. The exception is the judicial order category, in which Glovo y PedidosYa stipulate handing over personal data when required by law, by the competent authorities, or following “prior legal request.” However, they don’t clarify which requirements should be met or which type of legal request is needed. Even so, they still rank ahead of Telecentro, IPLAN, and Claro in this parameter. Fibertel/Telecom stands out with a half-star for committing to request a judicial order before handing over personal data. The company didn’t receive the full score since it seems to state that law could authorize law enforcement access data even without a court order. It does not detail the legal grounds or which data could be handed regardless of a warrant..

Fibertel/Telecom and Rappi are the only ones that fully accomplish the parameters assessed for privacy policies.

As for the transparency category, no company received the maximum score. Movistar earned a half-star for publishing periodic transparency reports showing the number of requests received, approved, and rejected. However, the report isn’t easily accessible for Argentinian users, for it is only available on the parent company’s website. Likewise, AT&T, DirecTV’s parent company, also scored a half-star for publishing periodic transparency reports, which are scantily summarized for requests received outside the U.S. It doesn’t clarify, for example, if the total number reported for Argentina relates to all the requests received or only the ones the company responded to.

Both companies also received a half-star in the notification category. DirecTV states that, whenever possible, it will make efforts to notify users about personal information requests by "competent authorities." Yet, the language used leaves a wide room for discretion as well as failing to clarify if the notification will take place before or after handing the information to authorities. Movistar simply states it will notify users about the requests received "to the extent allowed by law and procedural rules." The company omits any further details on how it understands and applies such legal and procedural rules, failing to specify in which situations users are notified, and when it occurs beforehand or after the fact.

Related Updates

In the face of a global pandemic, there is an urgent need for reporting relating to the spread of the coronavirus and how governments are responding. But it is in times of crisis that the civil liberties we value most are put to the test—and that is exactly what is...

San Francisco—In an important victory for thousands of public interest groups around the world, a proposal to sell the .ORG domain registry to private equity firm Ethos Capital and convert it to a for-profit entity was rejected late yesterday by the Internet Corporation for Assigned Names and Numbers (ICANN).The...

As the proposed sale of the .ORG domain registry to private equity firm Ethos Capital plays out, we see more and more why this sale was rushed through: the longer we have to look at it, the more questions we all have, and the fewer answers we get. For the...

“There are myriad reasons why individuals may wish to use a name other than the one they were born with. They may be concerned about threats to their lives or livelihoods, or they may risk political or economic retribution. They may wish to prevent discrimination or they may use a...

The Internet Corporation for Assigned Names and Numbers (ICANN) is reviewing the proposed sale of the .ORG domain registry to private equity firm Ethos Capital, and ICANN has the power to stop the sale. EFF and several other organizations joined a public forum today as part of ICANN’s winter...

The Internet Society’s (ISOC) November announcement that it intended to sell the Public Interest Registry (PIR, the organization that oversees the .ORG domain name registry) to a private equity firm sent shockwaves through the global NGO sector. The announcement came just after a change to the .ORG registry agreement—the...

The further the "Right to be Forgotten" (RTBF) online progresses from its original creation by Europe's Court of Justice, the broader and more damaging its ramifications seem to be. The latest attempt to insert it is a rushed proposal in Uruguay. The complaints of multiple digital rights groups across...

This week, prosecutors in Brazil filed a criminal complaint against Glenn Greenwald, an internationally lauded journalist best known for publishing leaked documents detailing the NSA’s mass surveillance. Greenwald’s prosecution is an attempt to use computer crime law to silence an investigative reporter who exposed deep-seated government corruption. Sadly, this...